Caliptra 2.1: An Open-Source Silicon Root of Trust With Enhanced Protection of Data At-Rest
Introducing Caliptra 2.1: an open-source silicon Root of Trust subsystem, providing enhanced protection of data at-rest. Building upon Caliptra 1.0, which included capabilities for identity and measurement, Caliptra 2.1 represents a significant leap forward. It provides a complete RoT security subsystem, quantum resilient cryptography, and extensions to hardware-based key management, delivering defense in depth capabilities. The Caliptra 2.1 subsystem represents a foundational element for securing devices, anchoring through hardware a trusted chain for protection, detection, and recovery.Microsoft Azure Cloud HSM is now generally available
Microsoft Azure Cloud HSM is now generally available. Azure Cloud HSM is a highly available, FIPS 140-3 Level 3 validated single-tenant hardware security module (HSM) service designed to meet the highest security and compliance standards. With full administrative control over their HSM, customers can securely manage cryptographic keys and perform cryptographic operations within their own dedicated Cloud HSM cluster. In today’s digital landscape, organizations face an unprecedented volume of cyber threats, data breaches, and regulatory pressures. At the heart of securing sensitive information lies a robust key management and encryption strategy, which ensures that data remains confidential, tamper-proof, and accessible only to authorized users. However, encryption alone is not enough. How cryptographic keys are managed determines the true strength of security. Every interaction in the digital world from processing financial transactions, securing applications like PKI, database encryption, document signing to securing cloud workloads and authenticating users relies on cryptographic keys. A poorly managed key is a security risk waiting to happen. Without a clear key management strategy, organizations face challenges such as data exposure, regulatory non-compliance and operational complexity. An HSM is a cornerstone of a strong key management strategy, providing physical and logical security to safeguard cryptographic keys. HSMs are purpose-built devices designed to generate, store, and manage encryption keys in a tamper-resistant environment, ensuring that even in the event of a data breach, protected data remains unreadable. As cyber threats evolve, organizations must take a proactive approach to securing data with enterprise-grade encryption and key management solutions. Microsoft Azure Cloud HSM empowers businesses to meet these challenges head-on, ensuring that security, compliance, and trust remain non-negotiable priorities in the digital age. Key Features of Azure Cloud HSM Azure Cloud HSM ensures high availability and redundancy by automatically clustering multiple HSMs and synchronizing cryptographic data across three instances, eliminating the need for complex configurations. It optimizes performance through load balancing of cryptographic operations, reducing latency. Periodic backups enhance security by safeguarding cryptographic assets and enabling seamless recovery. Designed to meet FIPS 140-3 Level 3, it provides robust security for enterprise applications. Ideal use cases for Azure Cloud HSM Azure Cloud HSM is ideal for organizations migrating security-sensitive applications from on-premises to Azure Virtual Machines or transitioning from Azure Dedicated HSM or AWS Cloud HSM to a fully managed Azure-native solution. It supports applications requiring PKCS#11, OpenSSL, and JCE for seamless cryptographic integration and enables running shrink-wrapped software like Apache/Nginx SSL Offload, Microsoft SQL Server/Oracle TDE, and ADCS on Azure VMs. Additionally, it supports tools and applications that require document and code signing. Get started with Azure Cloud HSM Ready to deploy Azure Cloud HSM? Learn more and start building today: Get Started Deploying Azure Cloud HSM Customers can download the Azure Cloud HSM SDK and Client Tools from GitHub: Microsoft Azure Cloud HSM SDK Stay tuned for further updates as we continue to enhance Microsoft Azure Cloud HSM to support your most demanding security and compliance needs.Building Azure Right: A Practical Checklist for Infrastructure Landing Zones
When the Gaps Start Showing A few months ago, we walked into a high-priority Azure environment review for a customer dealing with inconsistent deployments and rising costs. After a few discovery sessions, the root cause became clear: while they had resources running, there was no consistent foundation behind them. No standard tagging. No security baseline. No network segmentation strategy. In short—no structured Landing Zone. That situation isn't uncommon. Many organizations sprint into Azure workloads without first planning the right groundwork. That’s why having a clear, structured implementation checklist for your Landing Zone is so essential. What This Checklist Will Help You Do This implementation checklist isn’t just a formality. It’s meant to help teams: Align cloud implementation with business goals Avoid compliance and security oversights Improve visibility, governance, and operational readiness Build a scalable and secure foundation for workloads Let’s break it down, step by step. 🎯 Define Business Priorities Before Touching the Portal Before provisioning anything, work with stakeholders to understand: What outcomes matter most – Scalability? Faster go-to-market? Cost optimization? What constraints exist – Regulatory standards, data sovereignty, security controls What must not break – Legacy integrations, authentication flows, SLAs This helps prioritize cloud decisions based on value rather than assumption. 🔍 Get a Clear Picture of the Current Environment Your approach will differ depending on whether it’s a: Greenfield setup (fresh, no legacy baggage) Brownfield deployment (existing workloads to assess and uplift) For brownfield, audit gaps in areas like scalability, identity, and compliance before any new provisioning. 📜 Lock Down Governance Early Set standards from day one: Role-Based Access Control (RBAC): Granular, least-privilege access Resource Tagging: Consistent metadata for tracking, automation, and cost management Security Baselines: Predefined policies aligned with your compliance model (NIST, CIS, etc.) This ensures everything downstream is both discoverable and manageable. 🧭 Design a Network That Supports Security and Scale Network configuration should not be an afterthought: Define NSG Rules and enforce segmentation Use Routing Rules to control flow between tiers Consider Private Endpoints to keep services off the public internet This stage sets your network up to scale securely and avoid rework later. 🧰 Choose a Deployment Approach That Fits Your Team You don’t need to reinvent the wheel. Choose from: Predefined ARM/Bicep templates Infrastructure as Code (IaC) using tools like Terraform Custom Provisioning for unique enterprise requirements Standardizing this step makes every future deployment faster, safer, and reviewable. 🔐 Set Up Identity and Access Controls the Right Way No shared accounts. No “Owner” access to everyone. Use: Azure Active Directory (AAD) for identity management RBAC to ensure users only have access to what they need, where they need it This is a critical security layer—set it up with intent. 📈 Bake in Monitoring and Diagnostics from Day One Cloud environments must be observable. Implement: Log Analytics Workspace (LAW) to centralize logs Diagnostic Settings to capture platform-level signals Application Insights to monitor app health and performance These tools reduce time to resolution and help enforce SLAs. 🛡️ Review and Close on Security Posture Before allowing workloads to go live, conduct a security baseline check: Enable data encryption at rest and in transit Review and apply Azure Security Center recommendations Ensure ACC (Azure Confidential Computing) compliance if applicable Security is not a phase. It’s baked in throughout—but reviewed intentionally before go-live. 🚦 Validate Before You Launch Never skip a readiness review: Deploy in a test environment to validate templates and policies Get sign-off from architecture, security, and compliance stakeholders Track checklist completion before promoting anything to production This keeps surprises out of your production pipeline. In Closing: It’s Not Just a Checklist, It’s Your Blueprint When implemented well, this checklist becomes much more than a to-do list. It’s a blueprint for scalable, secure, and standardized cloud adoption. It helps teams stay on the same page, reduces firefighting, and accelerates real business value from Azure. Whether you're managing a new enterprise rollout or stabilizing an existing environment, this checklist keeps your foundation strong. Tags - Infrastructure Landing Zone Governance and Security Best Practices for Azure Infrastructure Landing Zones Automating Azure Landing Zone Setup with IaC Templates Checklist to Validate Azure Readiness Before Production Rollout Monitoring, Access Control, and Network Planning in Azure Landing Zones Azure Readiness Checklist for ProductionStrengthening Azure infrastructure and platform security - 5 new updates
In the face of AI-driven digital growth and a threat landscape that never sleeps, Azure continues to raise the bar on Zero Trust-ready, “secure-by-default” networking. Today we’re excited to announce five innovations that make it even easier to protect your cloud workloads while keeping developers productive: Innovation What it is Why it matters Next generation of Azure Intel® TDX Confidential VMs (Private Preview) Azure’s next generation of Confidential Virtual Machines now powered by the 5th Gen Intel® Xeon® processors (code-named Emerald Rapids) with Intel® Trust Domain Extensions (Intel® TDX). Enables organizations to bring confidential workloads to the cloud without code changes to applications. The supported VMs include the general-purpose families DCesv6-series and the memory optimized families ECesv6-series. CAPTCHA support for Azure WAF (Public Preview) A new WAF action that presents a visual / audio CAPTCHA when traffic matches custom or Bot Manager rules. Stops sophisticated, human-mimicking bots while letting legitimate users through with minimal friction. Microsoft Learn Azure Bastion Developer (New Regions, simplified secure-by-default UX) A free, lightweight Bastion offering surfaced directly in the VM Connect blade. One-click, private RDP/SSH to a single VM—no subnet planning, no public IP. Gives dev/test teams instant, hardened access without extra cost, jump servers, or NSGs. Azure Azure Virtual Network TAP (Public Preview) Native agentless packet mirroring available for all VM SKUs with zero impact to VM performance and network throughput. Deep visibility for threat-hunting, performance, and compliance—now cloud-native. Microsoft Learn Azure Firewall integration in Security Copilot (GA) A generative AI-powered solution that helps secure networks with the speed and scale of AI. Threat hunt across Firewalls using natural language questions instead of manually scouring through logs and threat databases. Microsoft Learn 1. Next generation of Azure Intel® TDX Confidential VMs (Private Preview) We are excited to announce the preview of Azure’s next generation of Confidential Virtual Machines powered by the 5th Gen Intel® Xeon® processors (code-named Emerald Rapids) with Intel® Trust Domain Extensions (Intel® TDX). This will help to enable organizations to bring confidential workloads to the cloud without code changes to applications. The supported VMs include the general-purpose families DCesv6-series and the memory optimized families ECesv6-series. Azure’s next generation of confidential VMs will bring improvements and new features compared to our previous generation. These VMs are our first offering to utilize our open-source paravisor, OpenHCL. This innovation allows us to enhance transparency with our customers, reinforcing our commitment to the "trust but verify" model. Additionally, our new confidential VMs support Azure Boost, enabling up to 205k IOPS and 4 GB/s throughput of remote storage along with 54 GBps VM network bandwidth. We are expanding the capabilities of our Intel® TDX powered confidential VMs by incorporating features from our general purpose and other confidential VMs. These enhancements include Guest Attestation support, and support of Intel® Tiber™ Trust Authority for enterprises seeking operator independent attestation. The DCesv6-series and ECesv6-series preview is available now in the East US, West US, West US 3, and West Europe regions. Supported OS images include Windows Server 2025, Windows Server 2022, Ubuntu 22.04, and Ubuntu 24.04. Please sign up at aka.ms/acc/v6preview and we will reach out to you. 2. Smarter Bot Defense with WAF + CAPTCHA Modern web applications face an ever-growing array of automated threats, including bots, web scrapers, and brute-force attacks. Many of these attacks evade common security measures such as IP blocking, geo-restrictions, and rate limiting, which struggle to differentiate between legitimate users and automated traffic. As cyber threats become more sophisticated, businesses require stronger, more adaptive security solutions. Azure Front Door’s Web Application Firewall (WAF) now introduces CAPTCHA in public preview—an interactive mechanism designed to verify human users and block malicious automated traffic in real time. By requiring suspicious traffic to successfully complete a CAPTCHA challenge, WAF ensures that only legitimate users can access applications while keeping bots at bay. This capability is particularly valuable for common login and sign-up workflows, mitigating the risk of account takeovers, credential stuffing attacks, and brute-force intrusions that threaten sensitive user data. Key Benefits of CAPTCHA on Azure Front Door WAF Prevent Automated Attacks – Blocks bots from accessing login pages, forms, and other critical website elements. Secure User Accounts – Mitigates credential stuffing and brute-force attempts to protect sensitive user information. Reduce Spam & Fraud – Ensures only real users can submit comments, register accounts, or complete transactions. Easy Deployment and Management – Requires minimal configuration, reducing operational overhead while maintaining a robust security posture. How CAPTCHA Works When a client request matches a WAF rule configured for CAPTCHA enforcement, the user is presented with an interactive CAPTCHA challenge to confirm they are human. Upon successful completion, Azure WAF validates the request and allows access to the application. Requests that fail the challenge are blocked, preventing bots from proceeding further. Getting Started CAPTCHA is now available in public preview for Azure WAF. Administrators can configure this feature within their WAF policy settings to strengthen bot mitigation strategies and improve security posture effortlessly. To learn more and start protecting your applications today, visit our Azure WAF documentation. 3. Azure Bastion Developer—Secure VM Access at Zero Cost Azure Bastion Developer is a lightweight, free offering of the Azure Bastion service designed for Dev/Test users who need secure connections to their Virtual Machines (VMs) without requiring additional features or scalability. It simplifies secure access to VMs, addressing common issues related to usability and cost. To get started, users can sign in to the Azure portal and follow the setup instructions for connecting to their VMs. This service is particularly beneficial for developers looking for a cost-effective solution for secure connectivity. It's now available in 36 regions with a new portal secure by default user experience. Key takeaways Instant enablement from the VM Connect tab. One concurrent session, ideal for dev/test and PoC environments. No public IPs, agents, or client software required. 4. Deep Packet Visibility with Virtual Network TAP Azure virtual network terminal access point enables customers to mirror virtual machine traffic to packet collectors or analytics tools without having to deploy agents or impact virtual machine network throughput, allowing you to mirror 100% of your production traffic. By configuring virtual network TAP on a virtual machine’s network interface, organizations can stream inbound and outbound traffic to destinations within the same or peered virtual network for real-time monitoring for various uses cases, including: Enhanced security and threat detection: Security teams can inspect full packet data in real-time to detect and respond to potential threats. Performance monitoring and troubleshooting: Operations teams can analyze live traffic patterns to identify bottlenecks, troubleshoot latency issues, and optimize application performance. Regulatory compliance: Organizations subject to compliance frameworks such as Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR) can use virtual network TAP to capture network activity for auditing and forensic investigations. Virtual network TAP supports all Azure VM SKU and integrates seamlessly with validated partner solutions, offering extended visibility and security capabilities. For a list of partner solutions that are validated to work with virtual network TAP, see partner solutions. 5. Protect networks at machine speed with Generative AI Azure Firewall intercepts and blocks malicious traffic using the intrusion detection and prevention system (IDPS) today. It processes huge volumes of packets, analyzes signals from numerous network resources, and generates vast amounts of logs. To reason over all this data and cut through the noise to analyze threats, analysts spend several hours if not days performing manual tasks. The Azure Firewall integration in Security Copilot helps analysts perform these investigations with the speed and scale of AI. An example of a security analyst processing the threats their Firewall stopped can be seen below: Analysts spend hours writing custom queries or navigating several manual steps to retrieve threat information and gather additional contextual information such as geographical location of IPs, threat rating of a fully qualified domain name (FQDN), details of common vulnerabilities and exposures (CVEs) associated with an IDPS signature, and more. Copilot pulls information from the relevant sources to enrich your threat data in a fraction of the time and can do this not just for a single threat/Firewall but for all threats across your entire Firewall fleet. It can also correlate information with other security products to understand how attackers are targeting your entire infrastructure. To learn more about the user journey and value that Copilot can deliver, see the Azure blog from our preview announcement at RSA last year. To see these capabilities in action, take a look at this Tech Community blog, and to get started, see the documentation. Looking Forward Azure is committed to delivering secure, reliable, and high-performance connectivity so you can focus on building what’s next. Our team is dedicated to creating innovative, resilient, and secure solutions that empower businesses to leverage AI and the cloud to their fullest potential. Our approach of providing layered defense in depth via our security solutions like Confidential Compute, Azure DDoS Protection, Azure Firewall, Azure WAF, Azure virtual network TAP, network security perimeter will continue with more enhancements and features upcoming. We can’t wait to see how you’ll use these new security capabilities and will be keen to hear your feedback.
Automating Container Image Cleanup in AKS with Eraser
🧭 Introduction In Kubernetes environments, it’s standard practice for CI/CD pipelines to build and deploy container images. However, what’s often overlooked is the cleanup of these images once they’re no longer in use. Over time, this can lead to an accumulation of: Unused images Outdated versions Vulnerable containers Kubernetes does offer native garbage collection, but it only triggers based on disk usage thresholds, ignoring the security posture of the images. Eraser addresses this gap by intelligently scanning and cleaning up container images that meet specific criteria — like being unused, outdated, or vulnerable. 🏗️ Architecture AKS Image cleaner architecture Eraser supports two operational modes for container image cleanup: Manual Mode You define a list of images to be removed via a custom resource called ImageList. Eraser then deploys cleanup pods that remove these specific images across all cluster nodes. Perfect when you already know which images are unnecessary or risky. Automated Mode This runs on a scheduled timer and, by default, uses a vulnerability scanner (Trivy) to determine which images to remove. Options: Replace Trivy with another scanner Disable scanning entirely (acts as traditional GC) Eraser ensures: Continuous hygiene Automated image cleanup Compliance with security standards 🧩 Eraser Components (Pod-Level Breakdown) eraser-controller-manager Listens for new cleanup requests (manual or automated) Schedules cleanup pods dynamically across cluster nodes eraser Worker Pods (per node) Each pod contains 3 containers: Collector — Gathers data on all container images per node Trivy Scanner — Identifies known vulnerabilities in each image Remover — Deletes images that are both unused and vulnerable 🔧 Enabling Image Cleaner in AKS 1. Using Bicep Template Enable Image Cleaner by setting it in the securityProfile section: securityProfile: { imageCleaner: { enabled: true intervalHours: 168 // 7 Days } } 2. Using Azure CLI To enable on a new AKS cluster: az aks create \ - name <your-cluster-name> \ - resource-group <your-resource-group> \ - enable-image-cleaner To enable on an existing AKS cluster: az aks update \ - name <your-cluster-name> \ - resource-group <your-resource-group> \ - enable-image-cleaner 🚀 How Automated Cleanup Works Once deployed, eraser-controller-manager takes over with no manual input required: Worker pods (eraser-aks-xxxxx) are created per node Each worker runs the Collector, Scanner, and Remover lifecycle Vulnerable and unused images are cleaned up Scheduling: Once cleanup is done, worker pods self-destruct Next cleanup auto-triggers based on — image-cleaner-interval-hours ✋ Manual Mode Walkthrough Objective Demonstrate manual cleanup of an unused image (alpine:3.7.3) using Eraser. Step 1: Deploy DaemonSet cat <<EOF | kubectl apply -f - apiVersion: apps/v1 kind: DaemonSet metadata: name: alpine spec: selector: matchLabels: app: alpine template: metadata: labels: app: alpine spec: containers: - name: alpine image: docker.io/library/alpine:3.7.3 EOF Step 2: Delete DaemonSet (Image remains on nodes) kubectl delete daemonset alpine Step 3: Create ImageList CRD cat <<EOF | kubectl apply -f - apiVersion: eraser.sh/v1 kind: ImageList metadata: name: imagelist spec: images: - docker.io/library/alpine:3.7.3 EOF Eraser then cleans the unused alpine:3.7.3 image from all nodes. Retrying Manual Cleanup Manual cleanup is one-time and triggered only when: A new ImageList is created An existing ImageList is updated 💡 To re-remove the same image: create a new ImageList. ✅ Conclusion Eraser bridges a critical gap in Kubernetes operations by offering automated and secure cleanup of container images. Whether you want to: Maintain compliance Enhance security posture Keep nodes lean …Eraser is a must-have utility for modern Kubernetes workloads. 👉 Start integrating it today and take the hassle out of image hygiene!Tech Accelerator: Azure security and AI adoption
Plan, build, manage and optimize your Azure deployments and AI projects with a security-first mindset. Learn how Microsoft protects its platform and get in-depth technical guidance from Microsoft experts about how you can use various products and tools to identify security risks in your Azure environments, protect your infrastructure from security threats, secure your AI workloads, and more! April 22, 2025 - now on demand Q&A will remain open for all sessions through Friday, April 25! Security: An essential part of your Azure and AI journey Secure by design: Azure datacenter and hardware security AMA: Azure platform security Enhancing security for cloud migration How to secure your AI environment How to design and build secure AI projects Safeguard AI applications with Microsoft Defender for CloudIntroducing XFF header for Azure Firewall: Gain crucial insights to help stay secure
The X-Forwarded-For (XFF) HTTP header provides crucial insight into the origin of web requests. The header works as a mechanism for conveying the original source IP addresses of clients, and not just across one hop, but through chains of multiple intermediaries. Information embedded in XFF headers is vital to network security to help with both enforcement and auditing. Thus, it’s important for proxies like Azure Firewall to preserve this information when packets flow through the networks. This blog shares Azure Firewall handling XFF headers. How does Azure Firewall handle XFF headers? Proxies can perform several actions on the XFF headers received. This includes preserving the XFF contents received before forwarding to the next hop, augmenting client IP to the XFF header and enforcing policies based on XFF contents. Azure Firewall preserves and augments XFF header based on how the traffic is received and processed. Behavior is detailed below. Traffic/Payload Rule Processed Preserves original content in the XFF header Augment Client IP to the XFF header HTTP payload Application Rules Preserved YES HTTPs payload Application Rules Preserved NO (XFF header is encrypted) HTTPs with TLS termination Application Rules Preserved YES HTTP or HTTPs payload DNAT/Network rules Preserved – Azure Firewall doesn’t impact HTTP headers as traffic is processed at layer 4 Validating Azure Firewall behavior: For this blog, I set up a local environment with NGINX to validate Firewall behavior. This includes a local client running in Azure, Internet client and a NGINX webserver to process http/s traffic. I used a private DNS zone to redirect traffic of a popular domain (example.com) to my NGINX server behind the firewall. HTTP/s client traffic and response: The client sends a http payload to example.com after adding 192.0.2.100 to XFF header. Azure Firewall output: The Azure Firewall receives both HTTP and HTTPs requests as the NGINX server redirects the client HTTP traffic to HTTPs listener. Server XFF header output: For HTTP requests, XFF output displays both the client IP and the appended IP in the curl request. For HTTPs requests, XFF output displays only the IP added by the client. DNAT traffic to the server: Internet clients send https traffic to the NGINX server via Azure Firewall Public IP. Azure Firewall receives the traffic as a DNAT rule and redirects the traffic to the translated destination server. Server XFF header output: Traffic is received with XFF header inserted by the client. Azure Firewall doesn’t impact this header as it receives the traffic on the network. Conclusion: In conclusion, the X-Forwarded-For (XFF) HTTP header plays a crucial role in providing insight into the origin of web requests. It helps convey the original source IP addresses of clients through multiple intermediaries, which is vital for network security, enforcement, and auditing. Azure Firewall's handling of XFF headers ensures that this information is preserved and augmented based on how the traffic is received and processed. By maintaining the integrity of XFF headers, Azure Firewall enhances security measures and provides a reliable mechanism for tracking the source of web traffic.Accelerating Azure Security: Key Insights at Our Upcoming Virtual Event
On April 22 nd join Azure security and AI experts at the “Azure security and AI Adoption” Tech Accelerator event hosted on Tech Community. 7 total sessions will be hosted, including several contributors from the Azure Infrastructure Blog. Here is a roundup of 4 key sessions for Azure Infrastructure Blog followers: Kicking off at 8 AM PST will be the Keynote delivered by Azure CVP Uli Homann – “Security: An essential part of your Azure and AI journey.” Join to take a closer look at the importance of embedding security from initial consideration of Azure to the ongoing management of workloads and AI applications. Next up at 8:30 AM will be “Secure by design: Azure datacenter & hardware security” delivered by Azure Senior Director Alistair Speirs. Join this session to explore the security capabilities built into every Azure datacenter, along with new hardware security innovations that provide an extra layer of protection for every workload in Azure. Our first session delivered by Azure Infra Blog author will be Azure Principal Program Manager Anupam Vij’s “Azure Network Security Embedded Features and Use Cases” at 9:00 AM. This session will guide you through common use cases, detailing which robust security features apply to each scenario. The last session featuring an Azure Infra Blog author will be Joey Snow’s “How to design and build secure AI projects” at 10:30 AM. This session equips technical professionals with the knowledge and tools to create secure AI workloads. Attendees will learn how to incorporate Responsible AI and security-by-design principles from the Azure Well-Architected Framework, identify tradeoffs during design, and prioritize security. We hope you are able to join the virtual event, as well as join Azure platform security’s presence at in-person events including RSA Conference (April 28-May 1) and Microsoft Build (May 19-22).So, you want to have a public IP Address for your application?
In Microsoft Azure, a public IP address is a fundamental component for enabling internet-facing services, such as hosting a web application, facilitating remote access, or exposing an API endpoint. While this connectivity drives functionality, it also exposes resources to the unpredictable and often hostile expanse of the internet. This blog dives deep into the security implications of a public IP in Azure, using a detailed scenario to illustrate potential threats and demonstrating how Azure’s robust toolkit—Network Security Groups (NSGs), Azure DDoS Protection, Azure Firewall, Web Application Firewall (WAF), Private Link, and Azure Bastion—can safeguard against them. Scenario: The exposed e-commerce platform Imagine a small e-commerce business launching its online store on Azure. The infrastructure includes an application gateway hosting a web server with a public IP (e.g., 20.55.123.45), an Azure SQL Database for inventory and customer data, and a load balancer distributing traffic. Initially, the setup works flawlessly, customers browse products, place orders, and the business grows. But one day, the IT team notices unusual activity: failed login attempts spike, site performance dips, and a customer reports a suspicious pop-up on the checkout page. The public IP left with minimal protection has become a target. The threats of public IP exposure A public IP is like an open address in a bustling digital city. It’s visible to anyone with the means to look, and without proper safeguards, it invites a variety of threats: Brute Force Attacks: Exposed endpoints, such as a VM with Remote Desktop Protocol (RDP) or SSH enabled, become prime targets for attackers attempting to guess credentials. With enough attempts, weak passwords can crumble, granting unauthorized access to sensitive systems. Exploitation of Vulnerabilities: Unpatched software or misconfigured services behind a public IP can be exploited. Attackers regularly scan for known vulnerabilities—like outdated web servers or databases—using automated tools to infiltrate systems and extract data or plant malware. Distributed Denial of Service (DDoS) Attacks: A public IP can attract floods of malicious traffic designed to overwhelm resources, rendering services unavailable. For businesses relying on uptime, this can lead to lost revenue and damaged trust. Application-Layer Attacks: Web applications exposed via a public IP are susceptible to threats like SQL injection, cross-site scripting (XSS), or other exploits that manipulate poorly secured code, potentially compromising data integrity or user privacy. Left unprotected, a public IP becomes a liability, amplifying the attack surface and inviting persistent threats from the internet’s darker corners. Azure’s Security Arsenal Azure provides a layered approach to securing resources with public IPs. By leveraging its built-in services, organizations can transform that open gateway into a fortified checkpoint. Here’s how these tools work together to mitigate risks: Azure DDoS Protection Azure DDoS Protection protects from overwhelming public IPs with malicious traffic. Azure DDoS Protection, available for infrastructure protection and as Network & IP Protection SKUs, monitors and mitigates these threats. The Network and IP Protection SKUs uses machine learning to profile normal traffic patterns, automatically detecting and scrubbing malicious floods—such as SYN floods or UDP amplification attacks—before they impact application availability. Azure Web Application Firewall (WAF) When a public IP fronts a web application (e.g., via Azure Application Gateway), the WAF adds application-layer protection. It inspects HTTP/HTTPS traffic, thwarting attacks like SQL injection or XSS by applying OWASP core rule sets. This is critical for workloads where the public IP serves as the entry point to customer-facing services. Network Security Groups (NSGs) NSGs act as a virtual firewall at the subnet or network interface level, filtering traffic based on predefined rules. For the specific scenario above, an NSG should be used to restrict inbound traffic to an Application Gateway’s public IP, allowing only specific ports (e.g., HTTPS on port 443) from trusted sources while blocking unsolicited RDP or SSH attempts. This reduces the attack surface by ensuring only necessary traffic reaches the resource. Azure Private Link Sometimes, the best defense is to avoid public exposure entirely. Azure Private Link allows resources—like Azure SQL Database or Storage—to be accessed over a private endpoint within a virtual network, bypassing the public internet. By pairing a public IP with Private Link for internal services, organizations can limit external exposure while maintaining secure, private connectivity. Azure Bastion For administrative access to backend VMs, exposing RDP or SSH ports via a public IP is a common risk. Azure Bastion eliminates this need by providing a fully managed, browser-based jump box. Admins connect securely through the Azure portal over TLS, reducing the chance of brute force attacks on open ports. Building a Secure Foundation A public IP in Azure doesn’t have to be a vulnerability, it can be a controlled entryway when paired with the right defenses. Start by applying the principle of least privilege with NSGs, restricting traffic to only what’s necessary. Layer on DDoS Protection and Azure Firewall for network-level resilience and add WAF for web-specific threats. Where possible, shift sensitive services to Private Link, and use Bastion for secure management. Together, these services create a multi-tiered shield, turning a potential weakness into a strength. In today’s threat landscape, a public IP is inevitable for many workloads. But leveraging Azure’s built in security tools, your organization can embrace the cloud’s connectivity while keeping threats at bay, allowing you to embrace the cloud without compromising security.Enhancing VM security: Azure's approach to safer connectivity for all users
When it comes to cloud security, one of the most critical aspects is managing connectivity to your virtual machines (VMs) without exposing them to unnecessary risks. To help you with this, Azure provides secure and seamless remote access to your Azure VMs over TLS – at no added cost - through Azure Bastion Developer, a fully managed, platform-native service. Enabling secure connectivity goes beyond just securing remote access to VMs; it plays an integral role in a broader security strategy for Azure customers under the “Secure-By-Default” initiative. By eliminating the need for public IPs on your VMs and the complexities associated with traditional remote access methods, Bastion Developer fundamentally changes how Azure customers approach security. In this blog, we will discuss how secure connectivity via Bastion Developer enhances security for all Azure customers. Reduced attack surface Public IPs and open ports are significant vulnerabilities in traditional remote access methods. They can be exploited by attackers to gain unauthorized access to your VMs, leading to data breaches, malware infections, and other security incidents. Open ports can also be scanned and targeted by malicious actors, increasing the likelihood of successful attacks. By eliminating the need for public IPs, Bastion Developer minimizes these risks and enhances the overall security of your Azure environment. This secure-by-default approach ensures that your VMs are only accessible through a secure connection to a private IP, safeguarding your sensitive data and resources from external threats. Simplified security management Bastion Developer simplifies security by removing the need for complex VPN configurations, public IPs, and agent-based installation. It’s a centralized, managed solution that integrates directly into your Azure environment, making security management much more straightforward. Additionally, Bastion Developer offers a one-click connection feature, allowing users to securely access their virtual machines without the need for any deployment. This feature enables developers and IT teams to connect to their VMs in just seconds, streamlining the process and enhancing productivity. With no additional infrastructure required, users can enter their VM credentials, click “Connect,” and gain secure access almost instantly in the Azure portal. Bastion Developer also offers CLI-based connectivity for SSH connections. Reduced risk of misconfigurations Bastion Developer's automated and streamlined approach eliminates the risks of human error and configuration mistakes, which can be common source of security vulnerabilities. By eliminating the need for manual configuration or deployment, Azure Bastion Developer eliminates the risks of human error and configuration mistakes that could otherwise lead to insecure access points, making it an accessible option for all Azure customers, regardless of their level of networking expertise. No added cost The best part? Azure Bastion Developer is 100% free with every Azure subscription. This lightweight connectivity offering was made free under Microsoft’s “Secure-by-Default” initiative to ensure that security is accessible and affordable for all Azure users. Unlike traditional public IP methods, which can cost more than $4 per IP address per month, Bastion Developer offers secure connections to one VM at a time at zero additional cost. This affordability removes barriers to robust security by making it more economically viable for developers and IT teams. Additionally, the cost-effectiveness of this service encourages widespread adoption, ensuring that even smaller organizations with limited budgets can benefit from enhanced security measures. This seamless and cost-effective approach ensures that all Azure customers can easily enhance their security posture without incurring extra expenses. Conclusion In Azure, our goal is to offer the most secure platform for our customers as the default. Cyberattacks are becoming more and more common, and exposing VM ports with public IPs increases their vulnerability. Our approach with Bastion Developer is to enable secure connectivity by default without exposing public endpoints -- at no additional cost. We received this feedback from our users, especially developers who need to make brief and limited persistent connections to VMs regularly. With its ability to reduce your attack surface, simplify security management, and integrate seamlessly with the Azure ecosystem, Bastion Developer is a must-have tool for any developer looking to improve their cloud security. Start using Azure Bastion Developer today to secure your Azure VMs and improve your overall security posture at no extra cost.
